Clay Murphy | fcf8f18 | 2015-03-11 22:43:31 -0700 | [diff] [blame] | 1 | page.title=Verifying Boot |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 2 | @jd:body |
| 3 | |
| 4 | <!-- |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 5 | Copyright 2015 The Android Open Source Project |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
| 19 | <div id="qv-wrapper"> |
| 20 | <div id="qv"> |
| 21 | <h2>In this document</h2> |
| 22 | <ol id="auto-toc"> |
| 23 | </ol> |
| 24 | </div> |
| 25 | </div> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 26 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 27 | <p>Verified boot guarantees the integrity of the device software starting from a |
| 28 | hardware root of trust up to the system partition. During boot, each stage |
| 29 | verifies the integrity and authenticity of the next stage before executing it.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 30 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 31 | <p>This capability can be used to warn users of unexpected changes to the |
| 32 | software when they acquire a used device, for example. It will also provide an |
| 33 | additional signal of device integrity for remote attestation, and together with |
| 34 | encryption and Trusted Execution Environment (TEE) root of trust binding, adds |
| 35 | another layer of protection for user data against malicious system software.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 36 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 37 | <p>If verification fails at any stage, the user is visibly |
| 38 | notified.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 39 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 40 | <h2 id=glossary>Glossary</h2> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 41 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 42 | <table> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 43 | <col width="15%"> |
| 44 | <col width="85%"> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 45 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 46 | <th>Term</th> |
| 47 | <th>Definition</th> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 48 | </tr> |
| 49 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 50 | <td>Boot state</td> |
| 51 | <td>The boot state of the device describes the level of protection provided |
| 52 | to the end user if the device boots. Boot states are GREEN, YELLOW, |
| 53 | ORANGE, and RED.</td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 54 | </tr> |
| 55 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 56 | <td>Device state</td> |
| 57 | <td>The device state indicates how freely software can be flashed to the device. |
| 58 | Device states are LOCKED and UNLOCKED.</td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 59 | </tr> |
| 60 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 61 | <td>dm-verity</td> |
| 62 | <td>Linux kernel driver for verifying the integrity of a partition at runtime using |
| 63 | a hash tree and signed metadata.</td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 64 | </tr> |
| 65 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 66 | <td>OEM key</td> |
| 67 | <td>The OEM key is a fixed, tamper-protected key available to the bootloader that |
| 68 | must be used to verify the boot image.</td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 69 | </tr> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 70 | </table> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 71 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 72 | <h2 id=overview>Overview</h2> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 73 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 74 | <p>In addition to device state—which already exists in devices and controls |
| 75 | whether the bootloader allows new software to be flashed—verified boot introduces |
| 76 | the concept of boot state that indicates the state of device integrity.</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 77 | |
| 78 | <h3 id=classes>Classes</h3> |
| 79 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 80 | <p>Two implementation classes exist for verified boot. Depending on how |
| 81 | fully the device implements this specification, they are defined as follows:</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 82 | |
| 83 | <p><strong>Class A</strong> implements verified boot with full chain of trust |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 84 | up to verified partitions. In other words, the implementation supports the |
| 85 | LOCKED device state, and GREEN and RED boot states.</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 86 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 87 | <p><strong>Class B</strong> implements Class A, and additionally supports the |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 88 | UNLOCKED device state and the ORANGE boot state.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 89 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 90 | <h3 id=verification_keys>Verification keys</h3> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 91 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 92 | <p>Bootloader integrity is always verified using a hardware root of trust. For |
| 93 | verifying boot and recovery partitions, the bootloader has a fixed OEM key |
| 94 | available to it. It always attempts to verify the boot partition using the OEM |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 95 | key first and try other possible keys only if this verification fails.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 96 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 97 | <p>In Class B implementations, it is possible for the user to flash |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 98 | software signed with other keys when the device is UNLOCKED. If the device is |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 99 | then LOCKED and verification using the OEM key fails, the bootloader tries |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 100 | verification using the certificate embedded in the partition signature. |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 101 | However, using a partition signed with anything other than the OEM key |
| 102 | results in a notification or a warning, as described below.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 103 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 104 | <h3 id=boot_state>Boot state</h3> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 105 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 106 | <p>A verified device will ultimately boot into one of the four states during |
| 107 | each boot attempt:</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 108 | |
| 109 | <ul> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 110 | <li>GREEN, indicating a full chain of trust extending from the bootloader to |
| 111 | verified partitions, including the bootloader, boot partition, and all verified |
| 112 | partitions. |
| 113 | |
| 114 | <li>YELLOW, indicating the boot partition has been verified using the |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 115 | embedded certificate, and the signature is valid. The bootloader |
| 116 | displays a warning and the fingerprint of the public key before allowing |
| 117 | the boot process to continue. |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 118 | |
| 119 | <li>ORANGE, indicating a device may be freely modified. Device integrity is |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 120 | left to the user to verify out-of-band. The bootloader displays a warning |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 121 | to the user before allowing the boot process to continue. |
| 122 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 123 | <li>RED, indicating the device has failed verification. The bootloader |
| 124 | displays a warning and stops the boot process. |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 125 | </ul> |
| 126 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 127 | <p>The recovery partition is verified in the exact same way, as well.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 128 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 129 | <h3 id=device_state>Device state</h3> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 130 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 131 | <p>The possible device states and their relationship with the four verified |
| 132 | boot states are:</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 133 | <ol> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 134 | <li>LOCKED, indicating the device cannot be flashed. A LOCKED device |
| 135 | boots into the GREEN, YELLOW, or RED states during any attempted boot. |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 136 | |
| 137 | <li>UNLOCKED, indicating the device may be flashed freely and is not intended |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 138 | to be verified. An UNLOCKED device always boots to the ORANGE boot state. |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 139 | </ol> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 140 | |
Clay Murphy | 1b77cc2 | 2014-12-17 18:20:06 -0800 | [diff] [blame] | 141 | <img src="../images/verified_boot.png" alt="Verified boot flow" id="figure1" /> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 142 | <p class="img-caption"><strong>Figure 1.</strong> Verified boot flow</p> |
| 143 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 144 | <h2 id=detailed_design>Detailed design</h2> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 145 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 146 | <p>Achieving full chain of trust requires support from both the bootloader and the |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 147 | software on the boot partition, which is responsible for mounting further |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 148 | partitions. Verification metadata is also appended to the system partition |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 149 | and any additional partitions whose integrity should be verified.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 150 | |
| 151 | <h3 id=bootloader_requirements>Bootloader requirements</h3> |
| 152 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 153 | <p>The bootloader is the guardian of the device state and is responsible for |
| 154 | initializing the TEE and binding its root of trust.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 155 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 156 | <p>Most importantly, the bootloader verifies the integrity of the boot and/or |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 157 | recovery partition before moving execution to the kernel and display the |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 158 | warnings specified in the section <a href="#boot_state">Boot state</a>.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 159 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 160 | <h4 id=changing_device_state>Changing device state</h4> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 161 | |
| 162 | <p>State changes are performed using the <code>fastboot flashing [unlock | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 163 | lock]</code> command. And to protect user data, <strong>all</strong> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 164 | state transitions wipe the data partitions and ask the user for |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 165 | confirmation before data is deleted.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 166 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 167 | <ol> |
| 168 | <li>The UNLOCKED to LOCKED transition is anticipated when a user buys a used |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 169 | development device. As a result of locking the device, the user should have |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 170 | confidence that it is in a state produced by the device manufacturer, as long |
| 171 | as there is no warning. |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 172 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 173 | <li>The LOCKED to UNLOCKED transition is expected in the case where a developer |
| 174 | wishes to disable verification on the device. |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 175 | </ol> |
| 176 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 177 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 178 | <p><code>fastboot</code> commands that alter device state are listed in the table below:</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 179 | |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 180 | <table> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 181 | <col width="25%"> |
| 182 | <col width="75%"> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 183 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 184 | <th><code>fastboot</code> command</th> |
| 185 | <th>Description</th> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 186 | </tr> |
| 187 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 188 | <td><code>flashing lock</code></td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 189 | <td> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 190 | <ul> |
| 191 | <li>Wipe data after asking the user for confirmation |
| 192 | <li>Clear a write-protected bit, readable by the bootloader, indicating |
| 193 | the device is unlocked |
| 194 | </ul> |
| 195 | </td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 196 | </tr> |
| 197 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 198 | <td><code>flashing unlock</code></td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 199 | <td> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 200 | <ul> |
| 201 | <li>If the unlock device setting has not been enabled by the user, |
| 202 | abort unlocking |
| 203 | <li>Wipe data after asking the user for confirmation |
| 204 | <li>Set a write-protected bit, readable by the bootloader, indicating |
| 205 | the device is unlocked |
| 206 | </ul> |
| 207 | </td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 208 | </tr> |
| 209 | </table> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 210 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 211 | <p>When altering partition contents, the bootloader checks the bits set by |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 212 | the above commands as described in the following table:</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 213 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 214 | <table> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 215 | <col width="25%"> |
| 216 | <col width="75%"> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 217 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 218 | <th><code>fastboot</code> command</th> |
| 219 | <th>Description</th> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 220 | </tr> |
| 221 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 222 | <td><code>flash <partition></code></td> |
| 223 | <td>If the bit set by <code>flashing unlock</code> is set, flash the |
| 224 | partition. Otherwise, do not allow flashing. |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 225 | </td> |
| 226 | </tr> |
| 227 | </table> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 228 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 229 | <p>The same checks should be performed for any <code>fastboot</code> command |
| 230 | that can be used to change the contents of partitions.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 231 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 232 | <p class="note"><strong>Note</strong>: Class B implementations support |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 233 | changing device state.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 234 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 235 | <h4 id=binding_tee_root_of_trust>Binding TEE root of trust</h4> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 236 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 237 | <p>If TEE is available, the bootloader passes the following information to |
| 238 | the TEE after boot/recovery partition verification and TEE initialization |
| 239 | to bind the Keymaster root of trust:</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 240 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 241 | <ol> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 242 | <li>the public key that was used to sign the boot partition |
| 243 | <li>the current device state (LOCKED or UNLOCKED) |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 244 | </ol> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 245 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 246 | <p>This changes the keys derived by the TEE. Taking disk encryption as an example, |
| 247 | this prevents user data from being decrypted when the device state changes.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 248 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 249 | <p class="note"><strong>Note:</strong> This means if the system software or the |
| 250 | device state changes, encrypted user data will no longer be accessible as the |
| 251 | TEE will attempt to use a different key to decrypt the data.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 252 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 253 | <h4 id="initializing-attestation">Initializing attestation</h4> |
| 254 | <p> |
| 255 | Similar to root of trust binding, if TEE is available, the bootloader passes it |
| 256 | the following information to initialize attestation: |
| 257 | </p> |
| 258 | <ol> |
| 259 | <li>the current boot state (GREEN, YELLOW, ORANGE) |
| 260 | <li>the operating system version |
| 261 | <li>the operating system security patch level |
| 262 | </ol> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 263 | <h4 id=booting_into_recovery>Booting into recovery</h4> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 264 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 265 | <p>The recovery partition should be verified in exactly the same manner as the |
| 266 | boot partition.</p> |
| 267 | |
| 268 | <h4 id=comm_boot_state>Communicating boot state</h4> |
| 269 | |
| 270 | <p>System software needs to be able to determine the verification status of |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 271 | previous stages. The bootloader specifies the current boot state as a |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 272 | parameter on the kernel command line (or through the device tree under |
| 273 | <code>firmware/android/verifiedbootstate</code>) as described in the table |
| 274 | below:</p> |
| 275 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 276 | <table> |
| 277 | <tr> |
| 278 | <th>Kernel command line parameter</th> |
| 279 | <th>Description</th> |
| 280 | </tr> |
| 281 | <tr> |
| 282 | <td><code>androidboot.verifiedbootstate=green</code></td> |
| 283 | <td>Device has booted into GREEN boot state.<br> |
| 284 | Boot partition has been verified using the OEM key and it’s valid.</td> |
| 285 | </tr> |
| 286 | <tr> |
| 287 | <td><code>androidboot.verifiedbootstate=yellow</code></td> |
| 288 | <td>Device has booted into YELLOW boot state.<br> |
| 289 | Boot partition has been verified using the certificate embedded into |
| 290 | the signature and it’s valid.</td> |
| 291 | </tr> |
| 292 | <tr> |
| 293 | <td><code>androidboot.verifiedbootstate=orange</code></td> |
| 294 | <td>Device has booted into ORANGE boot state.<br> |
| 295 | The device is unlocked and no verification has been performed.</td> |
| 296 | </tr> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 297 | </table> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 298 | <p class="note"><strong>Note</strong>: The device cannot boot into kernel when |
| 299 | in the RED boot state, and therefore the kernel command line never includes the |
| 300 | parameter <code>androidboot.verifiedbootstate=red</code>.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 301 | |
| 302 | <h3 id=boot_partition>Boot partition</h3> |
| 303 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 304 | <p>Once execution has moved to the boot partition, the software there is responsible |
| 305 | for setting up verification of further partitions. Due to its large size, the |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 306 | system partition typically cannot be verified similarly to previous parts but is |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 307 | verified as it’s being accessed instead using the dm-verity kernel driver or a |
| 308 | similar solution.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 309 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 310 | <p>If dm-verity is used to verify large partitions, the signature of the verity |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 311 | metadata appended to each verified partition is verified before the |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 312 | partition is mounted and dm-verity is set up for it.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 313 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 314 | <h4 id=managing_dm-verity>Managing dm-verity</h4> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 315 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 316 | <p>Implemented as a device mapper target in kernel, dm-verity adds a layer |
| 317 | on top of a partition and verifies each read block against a hash tree passed to |
| 318 | it during setup. If it comes across a block that fails to verify, it makes the |
| 319 | block inaccessible to user space.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 320 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 321 | <p>When mounting partitions during boot, fs_mgr sets up dm-verity for a |
| 322 | partition if the <code>verify</code> fs_mgr flag is specified for it in the |
| 323 | device’s fstab. Verity metadata signature is verified against the public key |
| 324 | in <code>/verity_key</code>.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 325 | |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 326 | <h4 id=recovering_from_dm-verity_errors>Recovering from dm-verity errors</h4> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 327 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 328 | <p>Because the system partition is by far larger than the boot partition, the |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 329 | probability of verification errors is also higher. Specifically, there is a |
| 330 | larger probability of unintentional disk corruption, which will cause a |
| 331 | verification failure and can potentially make an otherwise functional device |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 332 | unusable if a critical block in the partition can no longer be accessed. |
| 333 | Forward error correction can be used with dm-verity to mitigate this risk. |
| 334 | Providing this alternative recovery path is recommended, though it comes at the |
| 335 | expense of increasing metadata size.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 336 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 337 | <p> |
| 338 | By default, dm-verity is configured to function in a “restart” mode where it |
| 339 | immediately restarts the device when a corrupted block is detected. This makes |
| 340 | it possible to safely warn the user when the device is corrupted, or to fall |
| 341 | back to device specific recovery, if available. |
| 342 | </p> |
| 343 | |
| 344 | <p> |
| 345 | To make it possible for users to still access their data, dm-verity switches |
| 346 | to I/O Error (EIO) mode if the device boots with known corruption. When in EIO mode, |
| 347 | dm-verity returns I/O errors for any reads that access corrupted blocks but |
| 348 | allows the device to keep running. Keeping track of the current mode requires |
| 349 | persistently storing dm-verity state. The state can be managed either by fs_mgr |
| 350 | or the bootloader: |
| 351 | </p> |
| 352 | |
| 353 | <ol> |
| 354 | <li>To manage dm-verity state in fs_mgr, an additional argument is specified to |
| 355 | the <code>verify</code> flag to inform fs_mgr where to store dm-verity state. |
| 356 | For example, to store the state on the metadata partition, specify |
| 357 | <code>verify=/path/to/metadata</code>. |
| 358 | <p class="note"><strong>Note:</strong> fs_mgr switches dm-verity to EIO |
| 359 | mode after the first corruption has been detected and resets the mode |
| 360 | back to “restart” after the metadata signature of any verified partition |
| 361 | has changed.</p> |
| 362 | </li> |
| 363 | <li>Alternatively, to manage dm-verity state in the bootloader, pass the current |
| 364 | mode to the kernel in the <code>androidboot.veritymode</code> command line |
| 365 | parameter as follows: |
| 366 | |
| 367 | <table> |
| 368 | <tr> |
| 369 | <th>Kernel command line parameter</th> |
| 370 | <th>Description</th> |
| 371 | </tr> |
| 372 | <tr> |
| 373 | <td><code>androidboot.veritymode=enforcing</code></td> |
| 374 | <td>Set up dm-verity in the default “restart” mode.</td> |
| 375 | </tr> |
| 376 | <tr> |
| 377 | <td><code>androidboot.veritymode=eio</code></td> |
| 378 | <td>Set up dm-verity in EIO mode.</td> |
| 379 | </tr> |
| 380 | </table> |
| 381 | |
| 382 | <p class="note"> |
| 383 | <strong>Note:</strong> Managing state in the bootloader also requires the kernel |
| 384 | to set the restart reason correctly when the device restarts due to dm-verity. |
| 385 | After corruption has been detected, the bootloader should switch back to |
| 386 | “restart” mode when any of the verified partitions have changed.</p> |
| 387 | </li> |
| 388 | </ol> |
| 389 | |
| 390 | <p> |
| 391 | If dm-verity is not started in the “restart” mode for any reason, or verity |
| 392 | metadata cannot be verified, a warning displays to the user if the device is |
| 393 | allowed to boot, similar to the one shown before booting into the RED boot |
| 394 | state. The user must consent to the device to continue booting in EIO mode. If |
| 395 | user consent is not received in 30 seconds, the device powers off. |
| 396 | </p> |
| 397 | |
| 398 | <p class="note"> |
| 399 | <strong>Note:</strong> dm-verity never starts in logging mode to prevent |
| 400 | unverified data from leaking into userspace. |
| 401 | </p> |
| 402 | |
| 403 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 404 | |
| 405 | <h3 id=verified_partition>Verified partition</h3> |
| 406 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 407 | <p>In a verified device, the system partition is always verified. But any |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 408 | other read-only partition should also be set to be verified, as well. Any |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 409 | read-only partition that contains executable code is verified on a |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 410 | verified device. This includes vendor and OEM partitions, if they exist, for example.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 411 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 412 | <p>To verify a partition, signed verity metadata is |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 413 | appended to it. The metadata consists of a hash tree of the partition contents |
| 414 | and a verity table containing signed parameters and the root of the hash tree. |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 415 | If this information is missing or invalid when dm-verity is set up for the |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 416 | partition, the device doesn't boot.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 417 | |
| 418 | <h2 id=implementation_details>Implementation details</h2> |
| 419 | |
| 420 | <h3 id=key_types_and_sizes>Key types and sizes</h3> |
| 421 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 422 | <p>The OEM key used in AOSP is an RSA key with a modulus of 2048 bits or |
| 423 | higher and a public exponent of 65537 (F4), meeting the CDD requirements of |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 424 | equivalent or greater strength than such a key.</p> |
| 425 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 426 | <p>Note that the OEM key typically cannot be rotated if it's compromised, so |
| 427 | protecting it is important, preferably using a Hardware Security Module (HSM) |
| 428 | or a similar solution. It's also recommended to use a different key for each |
| 429 | type of device.</p> |
| 430 | |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 431 | <h3 id=signature_format>Signature format</h3> |
| 432 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 433 | <p>The signature on an Android verifiable boot image is an ASN.1 DER-encoded |
| 434 | message, which can be parsed with a decoder similar to the one found at: <a |
| 435 | href="https://android.googlesource.com/platform/bootable/recovery/+/f4a6ab27b335b69fbc419a9c1ef263004b561265/asn1_decoder.cpp">platform/bootable/recovery/asn1_decoder.cpp</a><br/> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 436 | The message format itself is as follows:</p> |
| 437 | |
| 438 | <pre> |
| 439 | AndroidVerifiedBootSignature DEFINITIONS ::= |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 440 | BEGIN |
| 441 | FormatVersion ::= INTEGER |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 442 | Certificate ::= Certificate |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 443 | AlgorithmIdentifier ::= SEQUENCE { |
| 444 | algorithm OBJECT IDENTIFIER, |
| 445 | parameters ANY DEFINED BY algorithm OPTIONAL |
| 446 | } |
| 447 | AuthenticatedAttributes ::= SEQUENCE { |
| 448 | target CHARACTER STRING, |
| 449 | length INTEGER |
| 450 | } |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 451 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 452 | Signature ::= OCTET STRING |
| 453 | END |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 454 | </pre> |
| 455 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 456 | <p>The <code>Certificate</code> field is the full X.509 certificate containing |
| 457 | the public key used for signing, as defined by <a |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 458 | href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> section |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 459 | 4.1. When LOCKED, the bootloader uses the OEM key for verification |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 460 | first, and only boot to YELLOW or RED states if the embedded certificate is |
| 461 | used for verification instead.</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 462 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 463 | <p>The remaining structure is similar to that defined by <a |
| 464 | href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> sections |
| 465 | 4.1.1.2 and 4.1.1.3 with the exception of the |
| 466 | <code>AuthenticatedAttributes</code> field. This field contains the length of |
| 467 | the image to be verified as an integer and the partition where the image can |
| 468 | be found (boot, recovery, etc.).</p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 469 | |
| 470 | <h3 id=signing_and_verifying_an_image>Signing and verifying an image</h3> |
| 471 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 472 | <p><strong>To produce a signed image:</strong></p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 473 | <ol> |
| 474 | <li>Generate the unsigned image. |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 475 | <li>0-pad the image to the next page size boundary (omit this step if already |
| 476 | aligned). |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 477 | <li>Populate the fields of the <code>AuthenticatedAttributes</code> section |
| 478 | above based on the padded image and desired target partition. |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 479 | <li>Append the <code>AuthenticatedAttributes</code> structure above to the image. |
| 480 | <li>Sign the image. |
| 481 | </ol> |
| 482 | |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 483 | <p><strong>To verify the image:</strong></p> |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 484 | <ol> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 485 | <li>Determine the size of the image to be loaded including padding (e.g. by reading |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 486 | a header). |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 487 | <li>Read the signature located at the offset above. |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 488 | <li>Validate the contents of the <code>AuthenticatedAttributes</code> field. |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 489 | If these values do not validate, treat it as a signature validation error. |
Clay Murphy | 0d59668 | 2014-10-23 12:06:03 -0700 | [diff] [blame] | 490 | <li>Verify the image and <code>AuthenticatedAttributes</code> sections. |
| 491 | </ol> |
| 492 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 493 | <h3 id=user_experience>User experience</h3> |
| 494 | |
| 495 | <p>A user in the GREEN boot state should see no additional user interaction besides that |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 496 | required by normal device boot. In ORANGE and YELLOW boot states, the user sees a |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 497 | warning for at least five seconds. Should the user interact with the device during |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 498 | this time, the warning remains visible at least 30 seconds longer, or until |
| 499 | the user dismisses the warning. In the RED boot state, the warning is shown for |
| 500 | at least 30 seconds, after which the device powers off.</p> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 501 | |
| 502 | <p>Sample user interaction screens for other states are shown in the following table:</p> |
Clay Murphy | e25f9da | 2015-05-18 14:57:31 -0700 | [diff] [blame] | 503 | |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 504 | <table> |
| 505 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 506 | <th>Device state</th> |
| 507 | <th>Sample UX</th> |
| 508 | <th> </th> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 509 | </tr> |
| 510 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 511 | <td>YELLOW</td> |
| 512 | <td><img src="../images/boot_yellow1.png" alt="Yellow device state 1" id="figure2" /> |
| 513 | <p class="img-caption"><strong>Figure 2.</strong> Before user interaction</p> |
| 514 | </td> |
| 515 | <td><img src="../images/boot_yellow2.png" alt="Yellow device state 2" id="figure3" /> |
| 516 | <p class="img-caption"><strong>Figure 3.</strong> After user interaction</p> |
| 517 | </td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 518 | </tr> |
| 519 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 520 | <td>ORANGE</td> |
| 521 | <td><img src="../images/boot_orange.png" alt="Orange device state" id="figure4" /> |
| 522 | <p class="img-caption"><strong>Figure 4.</strong> Warning that device is |
| 523 | unlocked and can’t be verified.</p> |
| 524 | </td> |
| 525 | <td> </td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 526 | </tr> |
| 527 | <tr> |
Danielle Roberts | 1a1441a | 2016-06-17 13:50:20 -0700 | [diff] [blame] | 528 | <td>RED</td> |
| 529 | <td><img src="../images/boot_red1.png" alt="Red device state" id="figure5" /> |
| 530 | <p class="img-caption"><strong>Figure 5.</strong> Verified boot failure |
| 531 | warning</p> |
| 532 | </td> |
| 533 | <td><img src="../images/boot_red2.png" alt="Red device state" id="figure6" /> |
| 534 | <p class="img-caption"><strong>Figure 6.</strong> Booting into EIO mode |
| 535 | warning</p> |
| 536 | </td> |
Clay Murphy | bc8a22a | 2015-03-02 18:49:17 -0800 | [diff] [blame] | 537 | </tr> |
| 538 | </table> |